Infosec security considerations for the Norwegian smittestopp covid19 tracking application

Norway has employed contact tracing as one of the measures in the fight against the Covid19 pandemic with its "Smittestopp" application. That application was hailed as safe to use and was even recommended by the Norwegian prime minister who prompted the public to download and use the app (link in Norwegian). While urgent situations require urgent measures and I personally consider the app a step in the right direction, there are serious technical/information security objections about the way Norway has implemented it. Some of them concern the structure of tracing applications in general, whereas others are specific to how the Simula Lab and FHI have chosen to roll it out.  I offer these opinions as an active infosec researcher and IT practitioner. I am employed by the University of Oslo and I consult for a private cybersecurity firm, but I declare openly that I have no conflict of interest with the authors that made the "Smittestopp" app, neither I express in this article the views of the University of Oslo nor Steelcyber Scientific. Opinions are my own. 

It is my assertion that people should think twice before downloading and using the "Smittestopp" application in its current form/implementation. This is especially true for people that use older Android (versions 8 and 9) mobile devices, as well as older versions of iPhones AND perform important (business critical) functions with them: e-banking, logging in  to sensitive systems, etc. 

 

Before I list the technical objections in support of my assertion, it's useful for the reader to read excellent general references on how contact tracing works in principle. The Norwegian implementation follows the same principle, yet with distinct choices that really degrade the quality of the solution. 

My first objection has to do with the accuracy of Bluetooth to estimate the proximity of other devices. This is not only a problem in the Norwegian implementation but a global issue. In particular, the Bluetooth protocol uses the Received Signal Strength Indicator (RSSI) to measure distance between devices. The principle is that the stronger the signal, the closer the devices are to each other. However, different bluetooth chipset implementations measure RSSI in slightly different ways. In addition, a particular variant of Bluetooth called 'Bluetooth Low Energy' or 'Bluetooth LE' that seems to be available in most mobile phones and is used for proximity sensing is very noisy. It's transmission frequency often interferes with other devices in the 2.4 GHz range, such as older WiFi routers, unshielded USB cables, microwave ovens. The device would do its best to extend the 'beacons' (pulses that use to advertise the presence and availability) by keeping constant time and regulating the transmission power to overcome other sources of interference. In such a frequency congested environment, a real distance of 1.5 meters could really be estimated as 2.5 meters (false negative), or a real distance of 2.5 meters could be  estimated to over 1.5 meters (false positive). The reliability of the collected data will certainly have to be software corrected by unproven heuristics. Bluetooth 5.1 will improve the data reliability, however, as it came out in the second half of 2019, we will not see it being adopted by mobile phone vendors until sometime in 2020/21. Most devices operate with the noisy and inaccurate Bluetooth LE, as I write this. 

My second objection is with the cyber security aspects of having your Bluetooth LE advertising all the time in the open important device credentials, exchanging data and all this in an extended transmission range. Amongst the various things advertised in the open by a Covid19 tracking app (the Norwegian "Smittestopp" is no exception) is a unique device identifier (or UUID). The idea here is to be able to identify you with the rest of the devices that are in proximity and have your phone say "Hi, I am here! Are you there?", without revealing your real world identity (name, phone number) to the rest of the mobile phone users. This is an essential aspect of user privacy because the theory says that an adversary can use unique identifiers of your phones (MAC address, IMEI) to get back to you. Your mobile phone provider for example, logs the IMEI address and relates IMEI addresses and phone numbers. The thing here is that even if the Simula/FHI app authors take all the precautions in the world to make a good, anonymous UUID to broadcast your presence, they cannot control other vulnerabilities that exist in the implementation protocol. These vulnerabilities exist for a wide range of mobile phone bluetooth chipsets and mobile operating systems. Various Android Bluetooth and Apple Bluetooth implementations have been found vulnerable and historically, the abuse of the Bluetooth protocol in what we call as bluejacking/bluesnarfing attacks has caused problems. Remember, Bluetooth LE can transmit sometimes up to 100 meters, check the specs of the protocol, it can certainly do that to try and overcome noisy environments by regulating transmission power. That's music to the ears of an adversary who can exploit these weaknesses to execute arbitrary code in your vulnerable mobile phone. This can seriously jeopardize anonymity and mobile device integrity.

So far, I hope I have established a good basis that justifies why bluetooth can provide unreliable data and open the door to attacks, let alone the things it will do to the battery of a mobile phone. This is not specific to the Norwegian implementation of the app. The following paragraphs will elaborate on the objections I have on the peculiar aspects of the Norwegian implementation.

First of all, I have to pick on the fact that Simula/FHI have claimed the shortness of time for not releasing open source code for the purposes of transparency and critical system review. I regret saying that this is shockingly contrary to every good research practice. When a public institution/research entity that is funded in general by taxpayer's money (even if not for the purposes of the "smittestop" project) should never go down that way. You are asking people to trust you with their personal data. We (experts and practitioners) have no way to see critical issues such as how you generate the UUID and what exactly are you doing to handle the Bluetooth inaccuracies. I will also need to criticize their statements that Open Source does not contribute to privacy. The issue here is not to contest whether closed source or open source is more suitable to safeguard privacy.  We can easily refute their arguments by stating that the Linux kernel whose source code and is open at large is used by mission/life critical systems successfully. The issue is how one can enable a process for a suitable number of experts to comment on and improve. I have no doubt that Simula and FHI have capable people. I doubt that they and the (IMHO) intransparently appointed panel of external experts have enough experties to secure systems whose scope and scale are similar to the needs of the task in such a short time. Have these people approved the app as safe and reliable and if yes, how did they miss issues pointed out here as well as many other ones?

Finally, the transparency and expert review measures do not concern only the source code but the entire infrastructure including central storage/processing activities. We are assured that all relevant measures have been taken to safeguard the data, yet no standards that these procedures/infrastructure adhere to are mentioned. I wonder why.

Steps to increase your online/Internet usage efficiency during the coronavirus outbreak

The world is in the process of adapting to remote work/home office solutions. This is something that is going to last throughout the coronavirus outbreak and is a practice/paradigm that is going to remain long after the world tackles the covid19 pandemic. The world wide telecommunications infrastructure is as critical as the health system facilities and the transportation/supply chain. We need to keep the world going and if we are not coordinated and able to communicate/exchange information, this is not going to be good for us. 

As the world is correctly trying to flaten the curve of the covid19 cases to ease the burden on national/regional health systems, it also needs to flaten the load on the telecommunications infrastructure for the same reasons. Regional, national and international data networks are already facing traffic capacity problems. This is because a large number of the wired and wireless services (Mobile telephony, home broadband services) operate on a contention ratio principle. In simple terms, if we have for example 10000 users in an infrastructure, the data networks are designed to serve only 1000 of them simultaneously. The 1001st simultaneous user would either experience drop of service or degraded service quality (slow not well functioning connections). While the contention ratio principle is not directly applicable to more modern networks (say Fiber to Home/Premises), it applies to a large part of the world, where copper/telephone wire is still the medium of offering broadband services (ADSL/ADSL+). Consequently, even if you are in a country where it has very good capacity on broadband networks and telephony (South Korea,Japan, Scandinavian countries), your online actions still impact the infrastructure on countries that are less well equipped in their infrastructure (sadly most other countries, including Europe, the US, Africa, India, China).   

If these problems increase and outpace the efforts of Internet Service and Telecommunication providers to gradually increase (where possible) the capacity, ISPs will start rationing/prioritize the traffic and this will impact everyone in a negative. As a network and devops engineer, I already see this problem and I would like to suggest simple steps that will make a big impact on traffic numbers and will help everyone.

1. Avoid sending/forwarding those long 'funny' viral videos on social media/WhatsApp/Viber chat: If you are at home on an ADSL connection which is asymmetric, or on a mobile data plan in a densely populated area, you are using scarce valuable capacity (and possibly money, eating up your account credit). Is it really important that you send the video? Can you just send a text describing the situation or even a voice call, when you check on your folks/friends instead and talk about it? That might be preferable.

2. Use video calls only when absolutely necessary: That might sound harsh, right now that most of us are closed at home and we need human contact. If for example, you are a psychologist and you need visual on your patient, do use it by all means. However, if you want to call someone for a practical issue (shopping, arrange something) do you really have to video call? If something is short, practical and can be done by voice, please think before pressing the Video call button. Choose the voice only option instead. This is especially true for work online meetings with a large number of participants. If you only need to listen and watch a screencast from the presenter in an online meeting, why do you really need your camera on?

3. Please throttle down your torrent/P2P traffic: If you share large files via torrent from home/work connections, consider throttling down (limiting) the traffic both in terms of speed and number of torrent connections. Most P2P torrent applications allow you to do that. I know it is tempting to use the capacity of a good fiber connection with your hard earned money. However, be considerate to others and use the capacity you have in a responsible manner. 

4. Use Netflix/YouTube and other content streaming providers responsibly: Watching a movie/listening to music is an important entertainment human need. However, considering doing it in the following manner:

• Try not to segregate your movie choices (your partner watches one, your kids another and you on your own, just because you have your own device). It's good for the parents from time to time to watch kids movies. Try to find content that you can watch altogether from one device. Streaming services account for a very large amount of the world-wide Internet traffic. Reducing that in a responsible manner will increase network capacity and server energy bills (yes, believe it or not, the energy consumption is a fact, backend servers do consume a lot of electricity).

• If you find that you keep watching the same videos (music, other) from YouTube again and again, do consider using tools to download them and keep playing them from your local hard drive whenever you want offline. There might be of course legal issues with doing this. However, as long as you do not use your local playing for profit (unlikely that you are going to have a gig in your home for money), you should be OK. Doing that in times like this means you are a responsible person and not someone that violates copyright or tries to rob YouTube of advertisement revenue. This is my own opinion of course.  

• Please do not stream movies while you are not watching them. 

5. Please avoid queuing on call center telephone lines when possible: How many times have you been annoyed listening to that 'elevator' music while waiting to get in touch with the service desk and you have listened to the 'Your call is important for us, all of our reps are busy, please wait while we try to help you' kind of message? Well, many call centers do offer the option of calling you back at the earliest opportunity. If they do, please exercise that option, rather than keeping the phone connection playing this for an hour. You are doing yourself and the phone infrastructure a favor. 

6. Use data compression to keep the size of your files down before sending/downloading them, improve network response times and (please) do not attach them to emails: 

• Compression is not applicable for photos/images and videos and music files as these might already be compressed or may not be compressible. However, if you have plenty of large text documents (Word, Power Point, Spreadsheets, PDF documents, programming language source code) that you need to send/download from work, consider using compressions tools like these to reduce their size before a transfer. This will reduce both the burden in communication networks as well as the transfer time. 
• For the most advanced users, compression is a technology that is used to improve interactive response on latency sensitive traffic. A great example of this is the SSH compression option. When this is used in conjunction with X forwarding to gain access to remote desktop environments, it improves both bandwidth consumption as well as the response time of remote desktop environments. 
• Finally, compressed or uncompressed files, even if it is within the few megabytes size limit that mail servers accept, please avoid attaching large files on emails. This overloads mail servers and as email is critical for many business functions, I recommend using specific file sharing services instead of email attachments. Examples of services that offer file sharing functionality are given here.  

Stay safe and use the Internet efficiently and in a responsible manner!